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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS. 
WHICHEVER IS LONGER. FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

• if NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)^ Responsive to communication(s) filed on 04 October 2007 . 
2a)n This action is FINAL. 2b)S This action is non-final. 

3) G Since this application Is in condition for allowance except for fomnal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1 935 CD. 1 1 , 453 O.G. 21 3. 

Disposition of Claims 

4) ^ Claim(s) 1-31 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Clalm(s) is/are allowed. 

6) 1^ Claim(s) 1-31 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10) n The drawing(s) filed on is/are: a)n accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing{s) is objected to. See 37 CFR 1.121(d), 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or fonn PTO-152. 

Priority under 35 U.S.C. § 119 

12) n Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (0- 
a)n All b)\3 Some * c)n None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1) ^ Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-413) 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/Mall Date. . 

3) □ Information Disclosure Statement(s) (PTO/SB/08) 5) □ Notice of Informal Patent Application 

Paper No(s)/Mall Date . 6) □ Other: . 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 08-06) 



Office Action Sumnnary 



Part of Paper No./Mail Date 20080106 
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DETAILED ACTION 

In the amendment filed on 10/04/2007, the following have occurred: claims 6, 7, 14, 15, 
21, 22, 29 and 30 have been amended, and claims 1-31 are currently pending. 

Claim Rejections - 35 USC § 103 

1. The following is a quotation of 35 U.S.C. 103(a) which fomis the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to v/hich said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 
USPQ 459 (1966), that are applied for establishing a background for determining 
obviousness under 35 U.S.C. 103(a) are summarized as follows: 

1 . Determining the scope and contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating 
obviousness or nonobviousness. 

2. Claims 1 , 4, 9, 12, 17-19, 24, 27 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Applicant's Background of the Invention (ABI hereinafter. Pub no.: 

20020138416, please see the disclosed background of the invention) in view of 

Kalyan (US PAT: 6266655). 

Re claims 1, 9, 17 and 24. ABI discloses a method for assessing and/or managing 
risks for an organization, comprising the steps of: (a) inventorying a plurality of assets of 



the organization, wherein each asset is defined to be one of an electronic asset type 
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and a location asset type, and wherein the electronic asset type includes computers and 
networking equipment therefor and the location asset type Includes physical locations 
where the electronic asset types are placed (i.e, Inventory and definition. In order to 
measure the theoretical impact of a risk, the organization determines its assets (e.g., 
electronic devices, electronically stored data, etc.) that are involved in support of critical 
processes, see paras 0015 of the applicant's specification); (b) identifying at least one 
criterion defining a security objective of the organization (i.e.. Vulnerability and threat 
assessment, see paras 0017); (c) identifying one or more inventoried assets that relate 
to the identified criterion (i.e., Once assets have been identified, a value is assigned to 
each asset, see paras 0015), and (e) assessing the risk to the organization based on 
the measured values of the one or more metric equations (i.e., Once risk has been 
assessed and identified, the organization can choose to accept the risk, mitigate the 
risk, or transfer the risk, see paras 0024). ABI does not explicitly disclose formulating 
one or more metric equations for each identified criterion, each metric equation being 
defined, in part, by the one or more identified assets, wherein each metric equation 
yields an outcome value when one or more measurements are made relating to the 
identified assets. However, Kalyan discloses the formulating and solving of equations 
for identified criteria (see the abstract, also see fig4 elements 43 and 44). Thus it would 
have been obvious to one of ordinary skill in the art to incorporate the teachings of 
Kalyan into ABI to formulate and solve metric equations defining one or more assets of 
the organization since doing so would provide answers to business organizational 
questions in a more efficient and systematic way. Further, it is old and well-known in the 
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business and scientific world to set up metric equations for measured variables, wherein 
this statement of equality between two expressions consisting of variable and /or 
numbers is used to answer business organizational questions in a systematic way. 
Thus, it would have been obvious to one of ordinary skill in the art to incorporate the old 
and well-known teachings supra into ABI to find answers to business organizational 
questions in a more efficient and systematic way. 

Re claims 4, 12, 19, 27. ABI further discloses the method, wherein the plurality of 
assets are defined to be one of a user type, a user population type, a data type and a 
network type in addition to the electronic type and the location type, wherein the user 
type relates to an individual user and the user population type relates to a group of 
users (i.e., e.g., electronic devices, electronically stored data, etc., see paras 0015). 
Re claim 18. ABI further discloses the system , wherein the computer is further 
configured to: electronically scan the plurality of assets (I.e., There are a number of 
tools available to electronically scan electronic devices and assess vulnerabilities within 
electronic devices, see paras 0019); interview members of the organization to identify 
the plurality of assets; and manually identify the plurality of assets (i.e., inventory and 
definition, paras 001 5). 

3. Claims 2, 3, 5-8,10, 11,13-16, 20-23, 25-26, and 28-31 are rejected under 36 
U.S.C. 103(a) as being unpatentable over ABI in view of Kalyan as applied to claim 1 
supra, further in view of Norton et al (Norton, hereinafter. Pub No.: 2002/0091699). 
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Re claims 2, 10, 25. ABI does not explicitly disclose the method wherein the step (a) 
comprises the step of: identifying the plurality of assets and storing the identified assets 
into a database. However, Norton makes this disclosure (i.e., standardized asset 
database, see fig. 1a, see also col.1 paras 0003). Thus, it would have been obvious to 
one of ordinary skill in the art to incorporate the teachings of Norton into ABI and Kalyan 
to effectively manage access to the asset information. 

Re claims 3, 11, 26. ABI further discloses the method, wherein the step of identifying 
the plurality of assets comprises at least one of: electronically scanning the plurality of 
assets (i.e., There are a number of tools available to electronically scan electronic 
devices and assess vulnerabilities within electronic devices, see paras 0019); 
interviewing members of the organization to identify the plurality of assets; and manually 
identifying the plurality of assets (i.e., inventory and definition, paras 0015). 
Re claims 5-8, 13-16, 20-23, 28-31. ABI does not explicitly disclose the method, further 
comprising the step of: establishing at least one relationship between the plurality of 
assets. However, Norton makes this disclosure (see fig.B, also see col.4 paras 0085- 
0090). Thus, it would have been obvious to one of ordinary skill in the art to incorporate 
the teachings of Norton into ABI and Kalyan to effectively manage access to the asset 
information. 

Response to Arguments 

The applicant argues in substance that the primary reference, ABI, fails to teach "a 
location asset type that includes the physical location of an electronic asset." Contrary 
to the applicant's assertion, ABI teaches "In order to measure the theoretical impact of a 
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risk, the organization determines its assets (e.g., electronic devices, electronically 
stored data, etc.) that are involved in support of critical processes, see paras 0015 of 
the applicant's specification." Thus the examiner contends that the assets that are 
determined by the organization encompass all asset types. Further, Paragraph 0015 of 
applicant's background of the invention clearly states that the organization determines 
its assets which obviously include location and electronic asset types. 

The applicant further argues that ABI fails to disclose identifying at least one 
criterion defining a security objective of the organization. Contrary to the applicant's 
assertion, ABI teaches Vulnerability and threat assessment, see paras 0017 of 
applicant's background of the invention. The examiner contends that Vulnerability and 
threat assessment are criteria defining a security objective of the organization. 

The applicant further argues that ABI fails to teach identifying one or more 
inventoried assets that relate to the identified criterion. Contrary to applicant's assertion, 
ABI teaches identifying assets and assigning a value to each asset, see paras 0015 of 
applicant's background of the invention. 

The applicant further argues that ABI fails to teach assessing the risk to the 
organization based on the measured values of the one or more metric equations. 
Contrary to the applicant's assertion, ABI teaches identifying and assessing the risk of 
the organization, see paras 0024 of applicant's background of the invention. 

All in all, every other argument is moot in view of new ground of rejection. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to OJO 0. OYEBISI whose telephone number is (571) 
272-8298. The examiner can nomially be reached on 8:30A.M-5:30P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, JAMES TRAMMELL can be reached on (571)272-6712. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 



Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



273-8300. 
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